Potential future cookie issue: 'misusing the recommended “sameSite“ attribute'

[makyen]

In Firefox, I see the following warnings in the console when viewing metasmoke:

Some cookies are misusing the recommended “sameSite“ attribute:

• Cookie “user.expires_at” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
• Cookie “_metasmoke_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

This implies that at least Firefox will start rejecting MS' session cookies at some point in the future. For Chrome, rejecting such cookies is behind a flag as of Chrome 76. In a quick look, I didn't see when rejecting such cookies will become standard for either browser.

[thesecretmaster]

I believe that this is reliant on an upgrade to rails 6, which is blocked by SensibleRoutes. I think it should just work if we upgrade but somebody (maybe me) needs to test it.